The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=635ad6f2ec97e9c6b1f15620cd5ee84eb632082f
commit 635ad6f2ec97e9c6b1f15620cd5ee84eb632082f Author: Jane Smith <[email protected]> AuthorDate: 2026-06-22 21:40:53 +0000 Commit: Mark Johnston <[email protected]> CommitDate: 2026-06-22 21:44:44 +0000 librpcsec_gss: Fix an off-by-one in rpc_gss_get_principal_name() Include an extra byte for the nul-terminator, otherwise we may end up with an out-of-bounds write. The corresponding bug in the kernel implementation was fixed by commit e3081f7e3e2d ("kgssapi(4): Fix string overrun in Kerberos principal construction"). Reviewed by: markj MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D57738 --- lib/librpcsec_gss/svc_rpcsec_gss.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/librpcsec_gss/svc_rpcsec_gss.c b/lib/librpcsec_gss/svc_rpcsec_gss.c index 73b92371e6d0..a15542330697 100644 --- a/lib/librpcsec_gss/svc_rpcsec_gss.c +++ b/lib/librpcsec_gss/svc_rpcsec_gss.c @@ -247,7 +247,7 @@ rpc_gss_get_principal_name(rpc_gss_principal_t *principal, * Construct a gss_buffer containing the full name formatted * as "name/node@domain" where node and domain are optional. */ - namelen = strlen(name); + namelen = strlen(name) + 1; if (node) { namelen += strlen(node) + 1; }
